census | Posts

FreeBSD kernel NFS client local vulnerabilities

[ posted by argp on 23.05.2010 ]

census ID:	census-2010-0001
CVE ID:	CVE-2010-2020
Affected Products:	FreeBSD 8.0-RELEASE, 7.3-RELEASE, 7.2-RELEASE
Class:	Improper Input Validation (CWE-20)
Remote:	No
Discovered by:	Patroklos Argyroudis

We have discovered two improper input validation vulnerabilities in the FreeBSD kernel’s NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.

FreeBSD kernel exploitation mitigations

[ posted by argp on 26.04.2010 ]

In my recent Black Hat Europe 2010 talk I gave an overview of the kernel exploitation prevention mechanisms that exist on FreeBSD. A few people at the conference have subsequently asked me to elaborate on the subject. In this post I will collect all the information from my talk and the various discussions I had in the Black Hat conference hallways.

Linux kernel SUNRPC off-by-two buffer overflow

[ posted by argp on 01.12.2009 ]

census ID:	census-2009-0005
Affected Products:	Linux kernel versions from 2.6.32 to 2.6.32-rc7.
Class:	Off-by-two stack buffer overflow.
Discovered by:	Patroklos Argyroudis

We have found an off-by-two stack buffer overflow in the Linux kernel SUNRPC implementation. Linux kernel versions from 2.6.32 to 2.6.32-rc7 are affected.

CVE-2008-3531: FreeBSD kernel stack overflow exploit development

[ posted by argp on 02.07.2009 ]

About four months ago I developed a reliable exploit for vulnerability CVE-2008-3531, which is also addressed in the advisory FreeBSD-SA-08:08.nmount. In this post I will use this vulnerability to provide an overview of the development process for FreeBSD kernel stack exploits.

CVE-2008-3531 is a kernel stack overflow vulnerability that affects FreeBSD versions 7.0-RELEASE and 7.0-STABLE, but not 7.1-RELEASE nor 7.1-STABLE as the CVE entry seems to suggest.

FreeBSD kernel stack overflows

[ posted by argp on 20.02.2009 ]

Last May (2008/05/30) I presented my research on FreeBSD kernel stack overflows at the University of Piraeus Software Libre Society, Event #16: Computer Security. The slides from the talk are now available in our research section.

FreeBSD kernel debugging

[ posted by argp on 19.01.2009 ]

The FreeBSD kernel can be debugged with the ddb(4) interactive kernel debugger. Although the latest production release of FreeBSD (7.1 at the time of this writing) adds some very useful features, ddb is still lacking the flexibility of gdb.

The FreeBSD developer’s handbook has a section on kernel debugging using remote gdb, but it is not directly applicable to VMware-based installations. The solution is to use VMware’s feature of creating virtual serial ports as named pipes to emulate a serial connection between two FreeBSD virtual machines.